I hope this will answer alot of the questions that I have been seeing about
the IIS 5.0 ISAPI .printer buffer overflow.
I have seen on serveral websites, including Microsoft.com, that Windows 2000
Professional is NOT in the list of
vulnerable systems. Just 2000 Server. I just ran two versions of the
exploit, one from eEye and one from Dark Spyrit, on
a default installation of Windows 2000 Professional & IIS 5.0, and they both
completed sucessfully. But both with
different results. I have ran both exploits several times each, and received
the same results every time. You can
contact me at ZeroBreakmailandnews.com if need be. Please do not email me
asking for the exploit code.

Test System: Microsoft Windows 2000 Professional: Service Pack 1

        --Zerobreak

eEye
____
[System Log]
DATE: 5/3/2001
TIME: 17:00
Type: Error
User: N/A
Computer: 2KLAPTOP
Source: WAM
Category: None
Event ID: 204
Description:
        The HTTP server encountered an unhandled exception while
        processing the ISAPI Application '
        ntdll!RtlDeleteCriticalSection + 0x5A
        msw3prt!DllMain + 0x6E
         + 0xFFFEFFF8
         + 0x8837DF23
        '.
        For additional information specific to this message please visit the
        Microsoft Online Support site located at:
        http://www.microsoft.com/contectredirect.asp.

Discussion:
        Now... after I ran the exploit I couldn't get into the IIS snap-in of the
Microsoft
        Managment Console, it froze. So I ran the command line status utility...
'iisreset 2klaptop /STATUS', and
        it said the service was running. But a test with IE and Telnet to connect
to the web server timed out. The
        IIS log showed '02:09:14 127.0.0.1 GET /null.printer 2011706191'. I let the
PC sit idle for about 15 minutes
        but IIS was still acting up, I couldn't connect, but acording to iisreset
IIS was running. As I stated before
        I could not get into the IIS snap-in in MMC so I used the iisrest utility
to restart IIS:
        'iisreset 2klaptop /restart'. It successfully stopped and restarted IIS,
and then I was also able to access
        the IIS snap-in in MMC, and access connect using Internet Explorer.

Conclusion:
        eEyes exploit code worked as it should, but IIS did not restart itself. And
it also left information in IIS's
        log files, including the attackers IP address.

Dark Spyrit
___________

Discussion :
        I have received a different reaction with Dark Spyrit's exploit code. Which
I will not post for obvious reasons
        which Russ from NTBugTraq also pointed out. The exploit code that eEye
provides is perfectly usefull for
        determining if your system is vulnerable. We are going to see an outbreak
of hack's from this as it is, let
        alone posting more devestating code.

        Now after saying that here is what I got from Dark Spyrit's Code. His
exploit spawns a reverse cmd shell so you
        set up netcat on the attackers machine for the server to connect back to.
After running the exploit the I
        succesfully got the cmd shell. The IIS service stopped and then restarted
by itself. Unlike what happend with
        eEyes code. IIS left absolutly nothing in it's log files, but here's the
nitty gritty from the Event Log...

Conclusion:
        Dark Spyrit's exploit code worked as it should. It sucessfully spawend the
session. Also IIS created no log's
        of the attack. IIS restarted restarted itself and was up and running again
in no time at all.

[System Log]
Date: 5/3/2001
Time: 17:00
Type: Error
User: N/A
Computer: 2KLAPTOP
Source: Service Control Manager
Category: None
Event ID: 7031
Description:
        The World Wide Web Publishing service terminated
        unexpectedly. It has done this 1 time(s). The following corrective action
        will be taken in 0 milliseconds: No action.

[System Log]
Date: 5/3/2001
Time: 17:00
Type: Information
User: N/A
Computer: 2KLAPTOP
Source: IISCTLS
Category: None
Event ID: 2
Description:
        IIS stop command received from user NT AUTHORITY\SYSTEM. The
        logged data is the status code.
        For additional information specific to this message please visit the
Microsoft
        Online Support site located at:
        http://www.microsoft.com/contentredirect.asp
Data:
        000: 00 00 00 00 ....

[System Log]
Date: 5/3/2001
Time: 17:00
Type: Error
User: N/A
Computer: 2KLAPTOP
Source: W3SVC
Category: None
Event ID: 105
Description:
        The server was unable to register the administration tool discovery
        information. The administration tool may not be able to see this server.
        The data is the error code.
        For additional information specific to this message please visit the
Microsoft
        Online Support site located at:
        http://www.microsoft.com/contectredirect.asp
Data:
        0000: c6 04 00 00 Æ...

[System Log]
Date: 5/3/2001
Time: 17:00
Type: Error
User: N/A
Computer: 2KLAPTOP
Source: W3SVC
Category: None
Event ID: 115
Description:
        The service could not bind instance 1. The data is the error code.
        For additional information specific to this message please visit the
Microsoft
        Online Support site located at:
        http://www.microsoft.com/contentredirect.asp
Data:
        0000: 40 27 00 00 '..

[System Log]
Date: 5/3/2001
Time: 17:00
Type: Information
User: N/A
Computer: 2KLAPTOP
Source: IISCTLS
Category: None
Event ID: 1
Description:
        IIS start command received from user NT AUTHORITY\SYSTEM. The
        logged data is the status code.
        For additional information specific to this message please visit the
Microsoft
        Online Support site located at:
        http://www.microsoft.com/contentredirec.asp
Data:
        0000: 00 00 00 00 ....

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]